Adds file inspection callback and example code #170
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
This PR was replicated from an internal backlogged PR. It is pending additional research & testing. I'm not yet certain this new API offers the best parameters. Will have to work with other teams to demonstrate its value. |
|
I forgot to note that to test the example program ex3, you need to tell it where to load libclamunrar_iface for RAR support to work. Eg: LD_LIBRARY_PATH=/home/micasnyd/workspace/clamav/build/libclamunrar_iface ./examples/ex3_file_inspection ~/Downloads/test-files.zip |
val-ms
force-pushed
the
CLAM-1402-firepower-archive-inspection
branch
from
a283af5 to
8ad5dfc
Compare
|
Some issues identified in review so far:
|
val-ms
force-pushed
the
CLAM-1402-firepower-archive-inspection
branch
from
1dfacb6 to
97ef21f
Compare
val-ms
added
⚒️Work in Progress (WIP)
and removed
🚧experiment
val-ms
force-pushed
the
CLAM-1402-firepower-archive-inspection
branch
from
13395b8 to
b44d803
Compare
|
I've updated this PR once more, making it so the "is normalized" and "was encrypted" booleans are provided in an attributes flag field that may be extended without breaking the API. I'm content with how this works now. Ready for review. |
shutton
suggested changes
Mar 7, 2022
val-ms
force-pushed
the
CLAM-1402-firepower-archive-inspection
branch
from
ad19210 to
d0b39c2
Compare
val-ms
force-pushed
the
CLAM-1402-firepower-archive-inspection
branch
from
d0b39c2 to
359a459
Compare
val-ms
force-pushed
the
CLAM-1402-firepower-archive-inspection
branch
from
359a459 to
0cff2a8
Compare
|
Just rebased to update it. |
libclamav callbacks can be used to access embedded file content at each layer of extraction during the course of a scan. The existing callbacks only provide access to the file descriptor and a guess at the file type. This patch adds a new callback for the purposes of file/archive inspection that provides additional insight into the embedded file. This includes: - ancestors: an array of parent file names - parent file size: the size of the direct parent layer - file name: current layer's filename, if any. - file buffer (pointer) - file size: size of file buffer - file type: just a guess at the current file's type - file descriptor: may be -1 if the layer is in-memory only. - layer attributes: a flag field. see LAYER_ATTRIBUTE_* defines in clamav.h Two new example apps are added that are automatically built when compiling under CMake: - ex2 demonstrates the prescan callback. - ex3 demonstrates the new file inspection callback. The examples are now installed if enabled, so you can test them in the Docker image, and so that they'll be colocated with the DLLs so you can test them on Windows. The installed examples should also be able to find the UnRAR library at run time, without having to set LD_LIBRARY_PATH. This commit also sets the fmap->name in an fmap-scan using the basname of the provided filename if the caller provided the filename and the provided fmap does not have the name set.
Also demo the post-scan callback with alert-encrypted enabled.
The current implementation sets a "next layer attributes" flag field in the scan context. This may introduce bugs if accidentally not cleared during error handling, causing that attribute to be applied to a different layer than intended. This commit resolves that by adding an attribute flag to the major internal scan functions and removing the "next layer attributes" from the scan context. This attributes flag shares the same flag fields as the attributes flag in the new file inspection callback and the flags are defined in `clamav.h`.
val-ms
force-pushed
the
CLAM-1402-firepower-archive-inspection
branch
from
0cff2a8 to
1b13b99
Compare
|
Test results look good. Merging. This new callback API will likely be annotated as "unstable" in the upcoming feature release in case we are required to adjust the parameters in the next feature release. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
libclamav callbacks can be used to access embedded file content at each
layer of extraction during the course of a scan. The existing callbacks
only provide access to the file descriptor and a guess at the file type.
This patch adds a new callback for the purposes of file/archive
inspection that provides additional insight into the embedded file.
This includes:
Two new example apps are added that are automatically built when
compiling under CMake:
The examples are now installed if enabled, so you can test them in the
Docker image, and so that they'll be colocated with the DLLs so you can
test them on Windows. The installed examples should also be able to find
the UnRAR library at run time, without having to set LD_LIBRARY_PATH.
This commit also sets the fmap->name in an fmap-scan using the basname
of the provided filename if the caller provided the filename and the
provided fmap does not have the name set.